How Apple Pay could make the Target and Home Depot breaches a thing of the past

The launch of Apple's mobile payment system could prove a turning point in the battle to secure your debit and credit card information from hackers.

Tens of millions of card numbers have been stolen in the last few months from malware-infected payment terminals in stores including Targetand Home Depot. The thefts were possible in part because the card information gets stored in an unencrypted form inside the terminals.

Apple announced a system this week, one that uses a payment standard based on NFC technology. When users of its new iPhone 6 and iPhone 6 Plus smartphones walk into a store, they'll be able to wave their phone over an NFC reader to complete a purchase.

The system, which relies in part on Apple's Touch ID biometric technology to verify the user's identity, could finally replace a payment technology that's been in use for five decades.

"Whether it's a credit or debit card, we're totally reliant on the exposed numbers and the outdated and vulnerable magnetic stripe interface," Apple CEO Tim Cook said Tuesday when he introduced his company's alternative, called Apple Pay.

The contactless "tap and go" system relies on a new payment technology called tokenization. In place of your payment card number, a 16-digit proxy is stored in a security chip in the phone. That number, which is the token, is given to the retailer when a purchase is made, meaning your actual payment card number doesn't get handed around.

The retailer sends the token through its payment network to Visa, Mastercard or American Express. Those card issuers identify the number as a token and pass it to a trusted third party, which converts it to the original card number and sends it back to the issuer.

That conversion happens deep within the payment network, several levels removed from the retailers' payment systems that are the target of many hacking attempts today.

"The real processing happens in a much more secure environment," said Steve Mathison, vice president of payment acceptance at First Data, an Atlanta-based payment systems provider.

"When the real [card number] is exposed, it's at the last minute and only to the issuer," he said. "The merchant doesn't have it and the [retailer's payment network] doesn't have it."

Additional pieces of data, unique to the transaction and the user, are incorporated to prevent a token from being reused for a second transaction, even if its stolen.

The U.S. banking industry has started to end its reliance on magnetic stripe cards in favor of chip-based cards already popular in Europe, but that isn't enough for some.

Contactless NFC systems have been slow to take off, but Apple Pay could help change that, especially if it's as easy to use as Tim Cook demonstrated in his Tuesday keynote. Users simply hold their thumb on the Touch ID sensor and tap the phone against a payment terminal.

The NFC technology is based on a standard developed by credit card companies that's already in use at about 220,000 locations in the U.S. Google Wallet also uses NFC but hasn't employed tokenization. It also hasn't been widely adopted by consumers.

According to Cook, that's because the solutions today don't focus enough on the user experience. "We love this kind of problem. This is exactly what Apple does best."

A successful roll out of Apple Pay would accelerate competition and help hasten the roll out of NFC terminals, said John Beatty, president of engineering at Clover Networks, which produces payment terminals for retailers. The company is already advertising systems that accept Apple Pay.

"In my opinion, it could be a tipping point," he said. "The U.S. is moving to chip and sign ... so you insert a chip card and it takes a little bit of time to authorize and you still need a signature. If you instead have people pull out their phones, put their thumb on the Touch ID and pay, it's a more pleasant and faster payment experience."

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.